Re: question about oracle advisory
From: David Litchfield (david_at_ngssoftware.com)
To: <firstname.lastname@example.org> Date: Wed, 6 Aug 2003 16:54:00 -0700
Hello Daymon and All,
I have CC'd in the Oracle Security Team....
> Do you have any plans to release proof of concept code for the Oracle
> exploit? The reason I ask is that "due to architectural constraints,"
> Oracle is not planning on releasing a patch for 8i releases. We contacted
> them about this, but they're sticking to their guns about the exploit
> requiring oracle authentication, and thus being a low(er)-risk
I know Oracle 9 is vulnerable and can be exploited without a user ID or
password. I demonstrated an exploit for this problem at the European
Blackhat Security Briefings. I know a number of the Oracle security guys
have actually read the associated paper and are (or at least should be)
_FULLY_ aware that this vulnerability _CAN_ be exploited without
credentials. Oracle: let me know if you need more proof of this and I can
send you the exploit.
As this new bug was introduced in the patch for the problem I reported
here - http://www.nextgenss.com/advisories/oraplsextproc.txt - and Oracle
will not give out patches to those who are not customers, I've never had the
opportunity to test this on 8.
At an educated guess, however, I believe 8 will be the same as 9.
> To quote the analyst that responded, "I'm not able to comment on David
> Litchfield's claims, but with SECURITY ALERT 57, you need the CREATE
> or the CREATE ANY LIBRARY privilege. The exploit is dependent on these
> privileges, so if they are not granted to users, the exploit fails. How a
> user could exploit these without being able to connect is difficult to
The analyst should do more analysis then. It is really very simple.
> I'd like to see them put out a patch for this, but without some more proof
> of the anonymous exploit, and motivation to fix the problem regardless of
> "architectural constraints", I don't think they will.
I believe the Oracle security guys know this can be done without credentials
and if this is the case then it seems that one hand is not speaking to the
other. If however, the Oracle security guys believe this is not exploitable
without a userID and password then let me know. I'm more than happy to
supply Oracle with the exploit.
Can we get this resolved, once and for all, please.